symmetric-encryption 3.4.0 → 3.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 6c78c33fe68704b26ebd996fd8ea8785d73c6fa1
-  data.tar.gz: 5f1534c06fae8c76cfc0dccf5a2612ce45fbf683
+  metadata.gz: 888fb42ac32f310999fea9a5cfa4449e6c3802df
+  data.tar.gz: 4709db73139a8c5654b37f7fd8a8a2dd8cb2f00b
 SHA512:
-  metadata.gz: 1fdf134465788b41776a086b5f86d0e2c43778899263bb9c3c702124779b5cad0d61466c1af15a11338959f76b7f6435598be7cb0f80d2c92a8d50727c21d372
-  data.tar.gz: 99a8de3d8d8aa73832f9541b7ab1b448685cd99739a59c600e543f4b27ef55b7c7025b3aaa62d2a0ae91c086aea30e9d9ac08209c2bfb1df7b4bf45ae8ac28eb
+  metadata.gz: 85cc771aa2e69f51a386880353f42a5253974b89cd2fc5153dfe3ab5a01d5e43aad7b1fb995f961579271d245a0477bbc926cbc860896ad26a7ebed92e755103
+  data.tar.gz: bc0ca28f71e48111c594439de184ebe6b46110b0ce25c93da96afc01c2ceeeed21d46daa11ec91c626fb14147dc3ed2c8e932f541e765b0225ee0d03bbb2dc78

data/README.md

@@ -1,4 +1,4 @@
-symmetric-encryption
+symmetric-encryption [![Build Status](https://secure.travis-ci.org/reidmorrison/symmetric-encryption.png?branch=master)](http://travis-ci.org/reidmorrison/symmetric-encryption)
 ====================
 
 * http://github.com/reidmorrison/symmetric-encryption
@@ -15,30 +15,6 @@ and consistent way
 Symmetric Encryption uses OpenSSL to encrypt and decrypt data, and can therefore
 expose all the encryption algorithms supported by OpenSSL.
 
-## Upgrading from earlier versions to SymmetricEncryption V3
-
-In version 3 of SymmetricEncryption, the following changes have been made that
-may have backward compatibility issues:
-
-* SymmetricEncryption.decrypt no longer rotates through all the decryption keys
-  when previous ciphers fail to decrypt the encrypted string.
-  In a very small, yet significant number of cases it was possible to decrypt data
-  using the incorrect key. Clearly the data returned was garbage, but it still
-  returned a string of data instead of throwing an exception.
-  See SymmetricEncryption.select_cipher to supply your own custom logic to
-  determine the correct cipher to use when the encrypted string does not have a
-  header and multiple ciphers are defined.
-
-* Configuration file format prior to V1 is no longer supported
-
-* New configuration option has been added to support setting encryption keys
-  from environment variables
-
-* Cipher.parse_magic_header! now returns a Struct instead of an Array
-
-* New config options :encrypted_key and :encrypted_iv to support setting
-  the encryption key in environment variables
-
 ## Security
 
 Many solutions that encrypt data require the encryption keys to be stored in the
@@ -100,7 +76,7 @@ is available when reading back the encrypted file/stream. The key is placed
 in a header on the file in encrypted form using the current global key/cipher.
 
 The ActiveRecord attr_encrypted method supports the :random_iv => true option.
-Similarly for Mongoid the :random_iv => true option can be added.
+Similarly for MongoMapper and Mongoid the :random_iv => true option can be added.
 
 Note that encrypting the same input string with the same key and :random_iv => true
 option will result in different encrypted output every time it is encrypted.
@@ -110,6 +86,7 @@ option will result in different encrypted output every time it is encrypted.
 * Encryption of passwords in configuration files
 * Encryption of ActiveRecord model attributes by prefixing attributes / column
   names with encrypted_
+* Encryption of MongoMapper keys by using :encrypted_key
 * Encryption of Mongoid model fields by adding :encrypted option to field
   definitions
 * Externalization of symmetric encryption keys so that they are not in the
@@ -134,8 +111,8 @@ option will result in different encrypted output every time it is encrypted.
 * Add the encryption header to all encrypted strings.
   See the _always_add_header_ option in the configuration file.
 
-* Set :random_iv => true for all ActiveRecord attributes and Mongoid fields
-  which are not used in indexes and will not be used as part of a query.
+* Add `random_iv: true` for all ActiveRecord attributes, MongoMapper keys, and
+  Mongoid fields which are not used in indexes and will not be used as part of a query.
 
 ## Binary Data
 
@@ -174,19 +151,19 @@ class User < ActiveRecord::Base
   # encrypted string
   #
   # Requires users table to have a column called encrypted_age of type string
-  attr_encrypted :age,         :type => :integer
+  attr_encrypted :age,         type: integer
 
   # Since string and long_string are not used in the where clause of any SQL
   # queries it is better to ensure that the encrypted value is always different
   # by encrypting every value with a random Initialization Vector.
   #
   # Note: Encrypting the same value twice will result in different encrypted
-  #       values when :random_iv => true
-  attr_encrypted :string,      :random_iv => true
+  #       values when :random_iv is true
+  attr_encrypted :string,      random_iv: true
 
   # Long encrypted strings can also be compressed prior to encryption to save
   # disk space
-  attr_encrypted :long_string, :random_iv => true, :compress => true
+  attr_encrypted :long_string, random_iv: true, compress: true
 
   # By specifying the type as :json the value will be serialized to JSON
   # before encryption and deserialized from JSON after decryption.
@@ -195,10 +172,10 @@ class User < ActiveRecord::Base
   # compression before the string is encrypted
   #
   # Requires users table to have a column called encrypted_values of type string
-  attr_encrypted :values,      :type => :json, :compress => true
+  attr_encrypted :values,      type: :json, compress: true
 
-  validates :encrypted_bank_account_number, :symmetric_encryption => true
-  validates :encrypted_social_security_number, :symmetric_encryption => true
+  validates :encrypted_bank_account_number, symmetric_encryption: true
+  validates :encrypted_social_security_number, symmetric_encryption: true
 end
 
 # Create a new user instance assigning a bank account number
@@ -210,7 +187,7 @@ user.bank_account_number = '12345'
 user.save!
 
 # Short example using create
-User.create(:bank_account_number => '12345')
+User.create(bank_account_number: '12345')
 ```
 
 Several types are supported for ActiveRecord models when encrypting or decrypting data.
@@ -226,9 +203,57 @@ Each type maps to the built-in Ruby types as follows:
 - :json      => Uses JSON serialization, useful for hashes and arrays
 - :yaml      => Uses YAML serialization, useful for hashes and arrays
 
+### MongoMapper Example
+
+To encrypt a field in a MongoMapper document, use `encrypted_key` instead of `key`
+when specifying a key.
+
+```ruby
+  field :encrypted_age,                    type: String, encrypted: {type: :integer}
+end
+
+# User model MongoMapper
+class User
+  include MongoMapper::Document
+
+  key           :name,                   String
+  encrypted_key :bank_account_number,    String
+  encrypted_key :social_security_number, String
+  encrypted_key :life_history,           String, encrypted: { random_iv: true, compress: true }
+
+  # Encrypted fields are _always_ stored in Mongo as a String
+  # To get the result back as an Integer, Symmetric Encryption will automatically
+  # perform the necessary conversions
+  encrypted_key :integer_value,          Integer
+  encrypted_key :float_value,            Float
+  encrypted_key :decimal_value,          BigDecimal
+  encrypted_key :datetime_value,         DateTime
+  encrypted_key :time_value,             Time
+  encrypted_key :date_value,             Date
+  encrypted_key :true_value,             Boolean
+  encrypted_key :data_json,              Hash, encrypted: {random_iv: true, compress: true}
+  # By default Hash is saved as JSON, to save as YAML add the type specifier:
+  encrypted_key :data_yaml,              Hash, encrypted: {random_iv: true, compress: true, type: :yaml}
+
+  # Optionally add validation to ensure that encrypted fields are in fact encrypted
+  # before the data is saved
+  validates :encrypted_bank_account_number,    symmetric_encryption: true
+  validates :encrypted_social_security_number, symmetric_encryption: true
+end
+
+# Create a new user document
+User.create(bank_account_number: '12345')
+
+# When finding a document, always use the encrypted form of the field name
+user = User.where(encrypted_bank_account_number: SymmetricEncryption.encrypt('12345')).first
+
+# Fields can be accessed using their unencrypted names
+puts user.bank_account_number
+```
+
 ### Mongoid Example
 
-To encrypt a field in a Mongoid document, just add ":encrypted => true" at the end
+To encrypt a field in a Mongoid document, just add "encrypted: true" at the end
 of the field specifier. The field name must currently begin with "encrypted_"
 
 ```ruby
@@ -236,36 +261,34 @@ of the field specifier. The field name must currently begin with "encrypted_"
 class User
   include Mongoid::Document
 
-  field :name,                             :type => String
-  field :encrypted_bank_account_number,    :type => String,  :encrypted => true
-  field :encrypted_social_security_number, :type => String,  :encrypted => true
-  field :encrypted_life_history,           :type => String,  :encrypted => {:compress => true, :random_iv => true}
+  field :name,                             type: String
+  field :encrypted_bank_account_number,    type: String,  encrypted: true
+  field :encrypted_social_security_number, type: String,  encrypted: true
+  field :encrypted_life_history,           type: String,  encrypted: {compress: true, random_iv: true}
 
   # Encrypted fields are _always_ stored in Mongo as a String
   # To get the result back as an Integer, Symmetric Encryption can do the
   # necessary conversions by specifying the internal type as an option
   # to :encrypted
   # #see SymmetricEncryption::COERCION_TYPES for full list of types
-  field :encrypted_age,                    :type => String, :encrypted => {:type => :integer}
+  field :encrypted_age,                    type: String, encrypted: {type: :integer}
 end
 
 # Create a new user document
-User.create(:bank_account_number => '12345')
+User.create(bank_account_number: '12345')
 
 # When finding a document, always use the encrypted form of the field name
-user = User.where(:encrypted_bank_account_number => SymmetricEncryption.encrypt('12345')).first
+user = User.where(encrypted_bank_account_number: SymmetricEncryption.encrypt('12345')).first
 
 # Fields can be accessed using their unencrypted names
 puts user.bank_account_number
 ```
 
-Note: At this time Symmetric Encryption only supports Mongoid fields with a type of String
-
 ### Validation Example
 
 ```ruby
 class MyModel < ActiveRecord::Base
-  validates :encrypted_ssn, :symmetric_encryption => true
+  validates :encrypted_ssn, symmetric_encryption: true
 end
 
 m = MyModel.new
@@ -330,7 +353,7 @@ end
 Example: Compress, Encrypt and write data to a file
 
 ```ruby
-SymmetricEncryption::Writer.open('encrypted_compressed.zip', :compress => true) do |file|
+SymmetricEncryption::Writer.open('encrypted_compressed.zip', compress: true) do |file|
   file.write "Hello World\n"
   file.write "Compress this\n"
   file.write "Keep this safe and secure\n"
@@ -344,9 +367,9 @@ Before generating keys we can use SymmetricEncryption in a standalone test envir
 ```ruby
 # Use test encryption keys
 SymmetricEncryption.cipher = SymmetricEncryption::Cipher.new(
-  :key         => '1234567890ABCDEF1234567890ABCDEF',
-  :iv          => '1234567890ABCDEF',
-  :cipher_name => 'aes-128-cbc'
+  key:         '1234567890ABCDEF1234567890ABCDEF',
+  iv:          '1234567890ABCDEF',
+  cipher_name: 'aes-128-cbc'
 )
 encrypted = SymmetricEncryption.encrypt('hello world')
 puts SymmetricEncryption.decrypt(encrypted)
@@ -685,6 +708,30 @@ production:
      Default: false
 ```
 
+## Upgrading from earlier versions to SymmetricEncryption V3
+
+In version 3 of SymmetricEncryption, the following changes have been made that
+may have backward compatibility issues:
+
+* SymmetricEncryption.decrypt no longer rotates through all the decryption keys
+  when previous ciphers fail to decrypt the encrypted string.
+  In a very small, yet significant number of cases it was possible to decrypt data
+  using the incorrect key. Clearly the data returned was garbage, but it still
+  returned a string of data instead of throwing an exception.
+  See SymmetricEncryption.select_cipher to supply your own custom logic to
+  determine the correct cipher to use when the encrypted string does not have a
+  header and multiple ciphers are defined.
+
+* Configuration file format prior to V1 is no longer supported
+
+* New configuration option has been added to support setting encryption keys
+  from environment variables
+
+* Cipher.parse_magic_header! now returns a Struct instead of an Array
+
+* New config options :encrypted_key and :encrypted_iv to support setting
+  the encryption key in environment variables
+
 Meta
 ----
 
@@ -695,16 +742,16 @@ Meta
 
 This project uses [Semantic Versioning](http://semver.org/).
 
-Authors
--------
+Author
+------
 
 [Reid Morrison](https://github.com/reidmorrison)
 
 Contributors
 ------------
 
-[M. Scott Ford](https://github.com/mscottford)
-[Adam St. John](https://github.com/astjohn)
+* [M. Scott Ford](https://github.com/mscottford)
+* [Adam St. John](https://github.com/astjohn)
 
 License
 -------

data/Rakefile

@@ -1,15 +1,18 @@
-lib = File.expand_path('../lib/', __FILE__)
-$:.unshift lib unless $:.include?(lib)
-
-require 'rubygems'
-require 'rubygems/package'
 require 'rake/clean'
 require 'rake/testtask'
+
+$LOAD_PATH.unshift File.expand_path("../lib", __FILE__)
 require 'symmetric_encryption/version'
 
-desc "Build gem"
-task :gem  do |t|
-  Gem::Package.build(Gem::Specification.load('symmetric-encryption.gemspec'))
+task :gem do
+  system "gem build symmetric-encryption.gemspec"
+end
+
+task :publish => :gem do
+  system "git tag -a v#{SymmetricEncryption::VERSION} -m 'Tagging #{SymmetricEncryption::VERSION}'"
+  system "git push --tags"
+  system "gem push symmetric-encryption-#{SymmetricEncryption::VERSION}.gem"
+  system "rm symmetric-encryption-#{SymmetricEncryption::VERSION}.gem"
 end
 
 desc "Run Test Suite"
@@ -24,3 +27,5 @@ task :test do
 
   Rake::Task['functional'].invoke
 end
+
+task :default => :test

data/lib/rails/generators/symmetric_encryption/config/config_generator.rb

@@ -3,7 +3,7 @@ module SymmetricEncryption
     class ConfigGenerator < Rails::Generators::Base
       desc "Creates a SymmetricEncryption configuration file at config/symmetric-encryption.yml"
 
-      argument :key_path, :type => :string, :optional => false
+      argument :key_path, type: :string, optional: false
 
       def self.source_root
         @_symmetric_encryption_source_root ||= File.expand_path("../templates", __FILE__)

data/lib/rails/generators/symmetric_encryption/heroku_config/templates/symmetric-encryption.yml

@@ -23,7 +23,7 @@ encrypted_key = ::Base64.strict_encode64(rsa_key.public_encrypt(key_pair[:key]))
 
 puts "\n\n********************************************************************************"
 puts "Add the release environment key to Heroku: (Optional)\n\n"
-puts "  heroku config:add RELEASE_KEY1:#{encrypted_key}\n\n"
+puts "  heroku config:add RELEASE_KEY1=#{encrypted_key}\n\n"
 -%>
 release:
   # Since the key to encrypt and decrypt with must NOT be stored along with the
@@ -52,7 +52,7 @@ iv            = ::Base64.strict_encode64(key_pair[:iv])
 encrypted_key = ::Base64.strict_encode64(rsa_key.public_encrypt(key_pair[:key]))
 
 puts "Add the production key to Heroku:\n\n"
-puts "  heroku config:add PRODUCTION_KEY1:#{encrypted_key}\n\n"
+puts "  heroku config:add PRODUCTION_KEY1=#{encrypted_key}\n\n"
 puts "********************************************************************************\n\n\n"
 -%>
 production:

data/lib/rails/generators/symmetric_encryption/new_keys/new_keys_generator.rb

@@ -2,8 +2,8 @@ module SymmetricEncryption
   module Generators
     class NewKeysGenerator < Rails::Generators::Base
       desc "Generate new Symmetric key and initialization vector based on values in config/symmetric-encryption.yml"
-      
-      argument :environment, :type => :string, :optional => false
+
+      argument :environment, type: :string, optional: false
 
       def create_config_file
         SymmetricEncryption.generate_symmetric_key_files(File.join('config', "symmetric-encryption.yml"), environment)

data/lib/symmetric_encryption.rb

@@ -8,13 +8,14 @@ require 'symmetric_encryption/cipher'
 require 'symmetric_encryption/symmetric_encryption'
 
 module SymmetricEncryption
-  autoload :Reader, 'symmetric_encryption/reader'
-  autoload :Writer, 'symmetric_encryption/writer'
-end
-if defined?(Rails)
-  require 'symmetric_encryption/railtie'
+  autoload :Reader,    'symmetric_encryption/reader'
+  autoload :Writer,    'symmetric_encryption/writer'
+  autoload :Generator, 'symmetric_encryption/generator'
 end
 
+# Add support for other libraries only if they have already been loaded
+require 'symmetric_encryption/railtie' if defined?(Rails)
 require 'symmetric_encryption/extensions/active_record/base' if defined?(ActiveRecord::Base)
 require 'symmetric_encryption/railties/symmetric_encryption_validator' if defined?(ActiveModel)
-require 'symmetric_encryption/mongoid' if defined?(Mongoid)
+require 'symmetric_encryption/extensions/mongoid/encrypted' if defined?(Mongoid)
+require 'symmetric_encryption/extensions/mongo_mapper/plugins/encrypted_key' if defined?(MongoMapper)

data/lib/symmetric_encryption/cipher.rb

@@ -23,7 +23,7 @@ module SymmetricEncryption
       :key,                 # [String] Key used to encrypt the data, if supplied in the header
       :cipher_name,         # [String] Name of the cipher used, if supplied in the header
       :version,             # [Integer] Version of the cipher used, if supplied in the header
-      :decryption_cipher,   # [SymmetricEncryption::Cipher] Cipher matching the header, or SymmetricEncryption.cipher(default_version)
+      :decryption_cipher    # [SymmetricEncryption::Cipher] Cipher matching the header, or SymmetricEncryption.cipher(default_version)
     )
 
     # Generate a new Symmetric Key pair
@@ -36,9 +36,9 @@ module SymmetricEncryption
       openssl_cipher.encrypt
 
       {
-        :key         => openssl_cipher.random_key,
-        :iv          => openssl_cipher.random_iv,
-        :cipher_name => cipher_name
+        key:         openssl_cipher.random_key,
+        iv:          openssl_cipher.random_iv,
+        cipher_name: cipher_name
       }
     end
 

data/lib/symmetric_encryption/extensions/active_record/base.rb

@@ -42,51 +42,9 @@ module ActiveRecord #:nodoc:
         define_attribute_methods rescue nil
 
         options   = params.last.is_a?(Hash) ? params.pop.dup : {}
-        random_iv = options.delete(:random_iv) || false
-        compress  = options.delete(:compress) || false
-        type      = options.delete(:type) || :string
-
-        raise "Invalid type: #{type.inspect}. Valid types: #{SymmetricEncryption::COERCION_TYPES.inspect}" unless SymmetricEncryption::COERCION_TYPES.include?(type)
-
-        # For backward compatibility
-        if options.delete(:marshal) == true
-          warn("The :marshal option has been deprecated in favor of :type. For example: attr_encrypted name, :type => :yaml")
-          raise "Marshal is depreacted and cannot be used in conjunction with :type, just use :type. For #{params.inspect}" if type != :string
-          type = :yaml
-        end
-
-        options.each {|option| warn "Ignoring unknown option #{option.inspect} supplied to attr_encrypted with #{params.inspect}"}
-
-        if const_defined?(:EncryptedAttributes, _search_ancestors = false)
-          mod = const_get(:EncryptedAttributes)
-        else
-          mod = const_set(:EncryptedAttributes, Module.new)
-          include mod
-        end
 
         params.each do |attribute|
-          # Generate unencrypted attribute with getter and setter
-          mod.module_eval(<<-UNENCRYPTED, __FILE__, __LINE__ + 1)
-            # Returns the decrypted value for the encrypted attribute
-            # The decrypted value is cached and is only decrypted if the encrypted value has changed
-            # If this method is not called, then the encrypted value is never decrypted
-            def #{attribute}
-              if @stored_encrypted_#{attribute} != self.encrypted_#{attribute}
-                @#{attribute} = ::SymmetricEncryption.decrypt(self.encrypted_#{attribute},version=nil,:#{type}).freeze
-                @stored_encrypted_#{attribute} = self.encrypted_#{attribute}
-              end
-              @#{attribute}
-            end
-
-            # Set the un-encrypted attribute
-            # Also updates the encrypted field with the encrypted value
-            def #{attribute}=(value)
-              v = SymmetricEncryption::coerce(value, :#{type})
-              self.encrypted_#{attribute} = @stored_encrypted_#{attribute} = ::SymmetricEncryption.encrypt(v,#{random_iv},#{compress},:#{type})
-              @#{attribute} = v.freeze
-            end
-          UNENCRYPTED
-
+          SymmetricEncryption::Generator.generate_decrypted_accessors(self, attribute, "encrypted_#{attribute}", options)
           encrypted_attributes[attribute.to_sym] = "encrypted_#{attribute}".to_sym
         end
       end
@@ -100,7 +58,7 @@ module ActiveRecord #:nodoc:
       #     attr_encrypted :email
       #   end
       #
-      #   User.encrypted_attributes # { :email => :encrypted_email }
+      #   User.encrypted_attributes  =>  { email: encrypted_email }
       def encrypted_attributes
         @encrypted_attributes ||= superclass.respond_to?(:encrypted_attributes) ? superclass.encrypted_attributes.dup : {}
       end
@@ -180,8 +138,10 @@ module ActiveRecord #:nodoc:
         method_missing_without_attr_encrypted(method, *args, &block)
       end
 
-      alias_method_chain :method_missing, :attr_encrypted
-
+      # Dynamic finders dropped in Rails 4.1
+      if ActiveRecord::VERSION::STRING.to_f < 4.1
+        alias_method_chain :method_missing, :attr_encrypted
+      end
     end
   end
 end